Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

Ralph Droms <rdroms.ietf@gmail.com> Mon, 23 October 2017 16:25 UTC

Return-Path: <rdroms.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F19C13954E for <tls@ietfa.amsl.com>; Mon, 23 Oct 2017 09:25:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aH9gkP8ACdq4 for <tls@ietfa.amsl.com>; Mon, 23 Oct 2017 09:25:34 -0700 (PDT)
Received: from mail-qt0-x231.google.com (mail-qt0-x231.google.com [IPv6:2607:f8b0:400d:c0d::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEFFB139553 for <tls@ietf.org>; Mon, 23 Oct 2017 09:25:34 -0700 (PDT)
Received: by mail-qt0-x231.google.com with SMTP id p1so26884119qtg.2 for <tls@ietf.org>; Mon, 23 Oct 2017 09:25:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=inYFcDHwhiY+xHLjj3nWZoUjhtvTzQHW9shisSDzzSs=; b=XJD7bK9oD75iMcfUn+P2N8Nw6Y0JgtzeDe33SbKZ92nQK0Fv0fjRCp1KoGvKXG8GXv 6UyPc7X9DzJqBu8I1SExVP7V/DDBfGWKrK6NSWLS3YZCQuiWtMDVDM/TrQzAX8RwPt+o e71/Tv/KPTgBMx7sUy8sKATwKv4u9Lp83kpObV3k8kcrx6XQ2+yBqUwi2vE17HPv4LHe Bkmfa9u3uZfJZ8GgHbKGbNM1SDMxfHNJGriPbpJ72ZQkfDTm8Zjd1F+1GPb3OZSB4BGv 2k788xQgVuf2HstPYNOjXVfq+ZhedpXXTXMn3yy12Pv9R+7vVh75Cy5L30w8fR24WW9R ZcVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=inYFcDHwhiY+xHLjj3nWZoUjhtvTzQHW9shisSDzzSs=; b=sAroBLW1P1V/Hq7IWTbIAIJ9dNNMdG9n5QKqpkFQTan3OaD+bkmt/9bA5dO0+8vuIx yKiGbFlnw08VtZItintiHbiel5+42j7CKiSnA5urgragXlN3dUvi5cK4sSipEwllInjb tAbePcOzHVgCzpzXllAT8tEoWz7TQvNPTU3elGvQamm0K6hTt20UvRsU0bMc+GzAw74H ItzvAdoLuxQGxk+vE4xZ8Y7O4XIASPXh5h4QcK89EKNiZ/1hVYxjbTmtHTMgueIEGoTU tVn+e5sM7UJmCCL2AUlSdFElCty0IQUL2M8DZZe4OPIa19YQ0Hqqj4Ed7bXA325q00Me Q6Bg==
X-Gm-Message-State: AMCzsaVfVF6ewR3Pk1sHKBrIK2I/6cwZP1oUpUhIz+geIpI+64Xwj4mS v/apdhbNxTlt+xQgQHSUYYzulwMO
X-Google-Smtp-Source: ABhQp+TUven+HfJAJLOxnWGn4gE1IPTfuxqudcNySZ8oj5mEOZ4tT0uM4KpOk9mrvZAGjDOMniKKvw==
X-Received: by 10.200.44.70 with SMTP id e6mr21134111qta.197.1508775933809; Mon, 23 Oct 2017 09:25:33 -0700 (PDT)
Received: from ?IPv6:2601:18f:801:600:c167:7d58:9571:ad31? ([2601:18f:801:600:c167:7d58:9571:ad31]) by smtp.gmail.com with ESMTPSA id i12sm4976615qkh.83.2017.10.23.09.25.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Oct 2017 09:25:33 -0700 (PDT)
From: Ralph Droms <rdroms.ietf@gmail.com>
Message-Id: <90235494-D1CA-4ABF-9AAC-4F8252927DCB@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E209BEBA-4327-4BD2-BC4B-C17B8E5C4713"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Mon, 23 Oct 2017 12:25:32 -0400
In-Reply-To: <3D02BAA1-D71C-4D95-99B6-BB04EF7E6E38@fugue.com>
Cc: IETF TLS <tls@ietf.org>
To: Ted Lemon <mellon@fugue.com>
References: <56687FEC-508F-4457-83CC-7C379387240D@akamai.com> <c1c0d010293c449481f8751c3b85d6ae@venafi.com> <4167392E-07FB-46D5-9FBC-4773881BFD2C@akamai.com> <3d5a0c1aab3e4ceb85ff631f8365618f@venafi.com> <E84889BB-08B3-4A3A-AE3A-687874B16440@akamai.com> <CAPBBiVQvtQbD4j3ofpCmG63MEyRWF15VL90NOTjeNqUOiyo6xg@mail.gmail.com> <9013424B-4F6D-4185-9BFD-EC454FF80F22@akamai.com> <CY4PR14MB1368CBA562220D9A3604F0FFD7430@CY4PR14MB1368.namprd14.prod.outlook.com> <2741e833-c0d1-33ca-0ad3-b71122220bc5@cs.tcd.ie> <CY4PR14MB136835A3306DEEFCA89D3C2DD7430@CY4PR14MB1368.namprd14.prod.outlook.com> <20171020182725.7gim6dg3mrl67cuh@LK-Perkele-VII> <CAHOTMVJXiQqMGPfRy=z2=3D60L08BURrOxSAgGdH8_TCO6Hr8g@mail.gmail.com> <422F0052-D5C8-48ED-ACE6-05C9C2065AF9@vigilsec.com> <3D02BAA1-D71C-4D95-99B6-BB04EF7E6E38@fugue.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZyTf_7lgheeF2tihD7s-L701Drg>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2017 16:25:36 -0000

> On Oct 22, 2017, at 2:40 PM, Ted Lemon <mellon@fugue.com> wrote:
> 
> On Oct 22, 2017, at 1:54 PM, Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>> wrote:
>> No one is requiring TLS 1.3 that I know about.  However, there are places that require visibility into TLS.  I will let one of the people that works in a regulated industry offer pointers to the documents.
> 
> What they require is visibility into contents of the flow that they are using encryption to protect.   Right now, the protocol they are using is TLS 1.1 or TLS 1.2.   The right thing for them to do if they continue to need this visibility and are no longer permitted to use TLS 1.2 is to use IPsec+IKE,

Is there running code that demonstrates the IPsec+IKE can be deployed and operated at scale in the sort of environment the enterprise network tips have described to us?

> or some protocol that is designed for this use case, not to take a protocol designed specifically for securing flows from on-path eavesdropping and create a mode where it is easier to wiretap.

...assuming the necessary lead time and support from vendors to implement another protocol.

> There is no reason other than momentum for them to switch to TLS 1.3 when it doesn't address their use case.

But TLS 1.3 addresses *part* of the use case, as it does provide better security and it represents an incremental change to the current deployment and operation practices.  

- Ralph

> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls